Jetty 9.3.0 to 9.3.8 inclusive is vulnerable to an aliasing issue when running on Windows platform.
The vulnerability allows raw file resources protected by security constraints or in WEB-INF to be revealed. Only resources within the webapp are vulnerable.
The issue was fixed in release
jetty-9.3.9, which is available via
eclipse download or in the
maven central repository. A work around is also documented in the ocert announcement below. Rewrite rules and/or filters can be installed that disallow URIs containing the \ character.
This vulnerability is an example of an alias vulnerability, where a resource on the file system can be accessed via different names. Thus if a security configuration allows all URIs except for specific patterns, then any aliases that bypass the specific patterns can create a security vulnerability. Since updates to files systems and/or JVM libraries can (and has) introduced new types of aliases, it is good security practise is to install a deny constraint on all URIs and then selectively allow specific URIs.
The Jetty team would like to acknowledge the assistance of
ocert in finding and handling this issue.
--